Message-ID: <1432298525.2450.66.camel@linux.vnet.ibm.com>
Subject: Re: [PATCH 0/8] MODSIGN: Use PKCS#7 for module signatures [ver #4]
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
        "Luis R. Rodriguez" <mcgrof@suse.com>,
        Andy Lutomirski <luto@kernel.org>,
        Rusty Russell <rusty@rustcorp.com.au>, Michal Marek <mmarek@suse.cz>,
        Matthew Garrett <mjg59@srcf.ucam.org>, keyrings@linux-nfs.org,
        Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Seth Forshee <seth.forshee@canonical.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        David Woodhouse <dwmw2@infradead.org>
Date: Fri, 22 May 2015 08:42:05 -0400
In-Reply-To: <32619.1432281384@warthog.procyon.org.uk>
References: <CALCETrWXbBDJTadj0vHT0v5mMWJ6Uop_nMJn02Wa5EZFUbOgUw@mail.gmail.com>
	 <CALCETrUt+OO8sk=7j+rBToHujV7ONDzQ1Z6UMJ9HHUB44Jmtpw@mail.gmail.com>
	 <20150520162059.GC10473@localhost> <20150521213829.GH23057@wotan.suse.de>
	 <CALCETrUvf==bxwx80PT=F4bmZ4-BZVA47H_oh2t9mhgM4z8wmg@mail.gmail.com>
	 <CAB=NE6UurGCp6QF992nTPW-QPQcpF9_O7LDxKsWToFTeWApy_w@mail.gmail.com>
	 <CALCETrUC5DAz4vths-zxOb6py-M1bfWVF21_145K89wFiuM60g@mail.gmail.com>
	 <CAB=NE6VZ56JAq+6+DbfedP7uz5Uy=SkKnXe1QGhFG1dBy684fw@mail.gmail.com>
	 <CALCETrXe2kdP73LhND9svDsuSwhok+661-B775Xk_=kOtoZfYQ@mail.gmail.com>
	 <CAB=NE6XTKOJoug94NaOGscjn8pVLXZrmLUFAkoUWzs0Sjt2dMg@mail.gmail.com>
	 <CALCETrV70hso2y=oJFSaQoaxtfThsCa31EeNfWLdMA36kBXbAg@mail.gmail.com>
	 <20150521230105.GL23057@wotan.suse.de>
	 <32619.1432281384@warthog.procyon.org.uk>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1664
Lines: 34

On Fri, 2015-05-22 at 08:56 +0100, David Howells wrote:
> Andy Lutomirski <luto@amacapital.net> wrote:
> 
> > Without tagging the purpose of the signed file, you simply don't have
> > a cryptographic guarantee of that.  The bad guy can load something
> > else that was signed for an entirely different purpose into the wrong
> > device, possibly crashing it, causing buffer overflows because the
> > format is wrong, or doing any number of other bad things.
> 
> One suggestion David Woodhouse made with regard to tagging is that the tag
> could just be added into the digest before it is signed/verified and not
> actually stored in the signature.
> 
> This means that if you try loading the firmware for the wrong request, the
> signature verification will fail.
> 
> It's an interesting approach that's simple to achieve, but it has the downside
> that the signature will be invalid in the mismatch situation and you can't
> tell whether it's because the module is being misused or the signature is just
> wrong.  However, that might be livable with.

With transitive trust, any key on the system keyring would be able to
add keys with any tag, whether the tag is in the cert or the digest.  If
I trust cert A to sign keys that add kernel modules or other certs that
add kernel modules, it doesn't mean that I trust that cert to also sign
keys that add firmware, for example, or other keys that add firmware.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/